After much media fanfare, the official switch to EMV in the U.S. finally took effect on October 1, 2015. The technology has caused confusion among business owners, however, as they try to make sense of EMV’s role in the Payment Card Industry Data Security Standards (PCI DSS) requirements that went into effect three months prior, on July 1, 2015. Although EMV and PCI guidelines both help ensure that cardholder data is protected to cut down on credit card fraud, merchants are not required to implement EMV to be compliant with PCI DSS.
Unlike traditional credit cards, EMV-enabled cards use a microchip instead of a magnetic strip to transmit data during a purchase transaction. Known as either chip-and-PIN or chip-and-signature cards, based on the authentication method required, EMV cards are read by inserting them into a slot in a payment terminal. (Some cards can also be waved a few inches from the terminal, and the data is transmitted using radio frequency identification.) Whereas the information from a magnetic strip can be hacked and replicated to make fake copies of the original card, the chip in an EMV card generates a unique, encrypted code each time the card is used. The new technology makes it nearly impossible to skim the data and duplicate the card for fraudulent use.
The switch to EMV technology means that all new credit and debit cards produced use an embedded smart-chip, and merchants are protected from liability in the event that the card information is stolen. Conversely, merchants that do not have EMV-enabled terminals are liable for fraud that occurs with a purchase transaction. This liability shift took effect in the U.S. on October 1, 2015, and provides a powerful incentive for merchants to ensure their payment system is EMV compatible.
Achieving PCI Compliance
The liability shift encourages merchants to implement chip terminals to protect customers as well as their own business; however, EMV compliance is not the same as PCI compliance. The PCI requirements are actually a broader set of guidelines designed to ensure that cardholder information that is processed, stored or transmitted by merchants remains secure and not used fraudulently. PCI DSS includes a set of best practices for building and maintaining a secure network, mitigating vulnerabilities, and maintaining an information security policy, among other requirements. These standards apply to all retailers that accept credit cards, and retailers using a third-party credit card processor should be certain to select a company that is PCI compliant.
Retailers are not required to implement EMV to be compliant with PCI DSS, and implementing EMV-enabled payment systems does not mean the merchant is PCI compliant. EMV is just another tool to reduce fraud and provide added security for both the cardholder and the business when processing credit card transactions. Likewise, EMV is not mandated or regulated by a government body, and merchants are not subject to fines if they fail to implement the security guidelines.
Although merchants are not mandated to have a smart-chip reader in place, not having EMV-enabled terminals places them at unnecessary financial risk for credit card fraud, now that the liability switch has taken effect. Used together, EMV and PCI DSS can make transactions safer through every stage of credit card processing. Integrity Payment Systems offers a number of affordable POS solutions using the new EMV technology to keep cardholder data secure, so you and your customers can rest easy with every payment transaction.